Items Tagged with "Access Control"

There are improvements you can introduce that are seamless, low-cost , don't present a new burden to your users, and/or are easy to implement. So in between your major IT Security projects that may or may not happen, why not improve you security posture and lower your overall risks?

That’s right, I got an email with my username and password listed right there. That probably doesn’t anger normal people (let alone drive them to write an article about it), but I have never been accused of being normal so I’m pretty annoyed. Here, in no particular order, are my reasons for the anger and frustration...

I had one sysadmin a few years ago who demanded we all use 64 character passwords and every other character had to switch type. It was something like ^y?M3aI`B[a/ and so on... It took two minutes to type it in and I had to carry a paper with the password written on it. I was so glad when he left...

I'm running a small experiment on myself in which I've set up an account on a public, high-traffic web-based system out there that has a ton of my personal information. I've not changed my password in almost 6 months, but I still feel relatively good and certain that I am the only one who has access to my stuff...

Every organization experiences user frustrations and complications that result in support calls to the help desk. While each call may seem to suggest a unique problem, there could be a common root cause amongst them. Help desk calls often seem to be black and white – the machine works and now it doesn’t...

The numerous attacks and data breaches occurred during the last 12 months demonstrate that despite attention to security, the principal causes of the incidents are leak of authentication processes, absence of input validation on principal applications, and of course the human factor...

Users with admin rights are loose cannons -- you just don’t know when or where they are going to strike, and the results can be devastating to the company’s security infrastructure. Once a problem occurs, it often unravels into a downward spiral taking your business - and reputation - down with it...

What happens if you go perusing through your corporate file-share lists, applications directories and such... and find some interesting stuff that you aren't technically supposed to have access to yet the controls in place have no problem giving you permission? Does anyone notice?

The fact that usernames and passwords were being logged to a plaintext file itself is problematic, even if the passwords are being hashed when stored in a database, if such data is logged in plain text it defeats the entire purpose...

The CFAA only permits claims for accessing a protected computer “without authorization” and “exceeds authorized access” “only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access...”

The decision was made during the consultation process that universal design and accessibility issues should be outside the scope of the document. That was a necessary decision as the drive was to come up with a readily consumable document that vendors could easily comply with...

Looks like Windows 8 is capped at a 16 character limit for compatibility with existing Microsoft Accounts. With the decrease of the character set, by limiting special characters for compatibility with Microsoft’s other services, the passwords are less secure than before...

Organizations are motivated to prioritize ease of use over security if they feel their target audience won't be able to use advanced features without support. The result is that the password reset process to an address of record is the easiest way to get into an account. And of course attackers know this too...

If you choose to use your personal device for work, then your employer will more than likely want control over that device. This means like in a company mobile liability policy, the employer may have remote capabilities to monitor activity and in the event of loss or employee termination, wipe the data...

Yahoo and LinkedIn were recently breached and usernames and passwords were stolen. These sites did something wrong that allowed those passwords to get hacked. However passwords themselves are too hackable. If multi-factor authentication was used, then the hacks may be a moot point and the data useless...

Siemens has reported a privilege escalation vulnerability in the Siemens COMOS database application. Authenticated users with read privileges could escalate their privileges by exploiting this vulnerability. Thus, the attacker is able to gain administrator access to the database...